I have several questions about authentication and authorization in Tomcat below, so answer only what you can :) Thanks.
Where does Tomcat authentication fit into the request processing lifecycle? Does it happen before even the very first filter gets called? What happens just before and just after authentication? Where does the role-based authorization fit into this process? When you login using form-based authentication, where invalid login attempts redirect to the "form-error-page", how do you add a custom message to that page saying "Login Failed"? I ask because common practice is to send the user to the same login page rather than a different page. Is it configuration whether Tomcat uses redirects or forwards after successful or unsuccessful attempts? What's the default for both? How can you use JDBCRealm or DataSourceRealm with foreign keys from roles table to user table, rather than requiring the roles table to duplicate whatever field (e.g. username, email address) will actually be entered into the login screen? I ask because using simple text-matching rather than using the primary key of the user table seems a bit inefficient, but more importantly it may be disallowed from data standards in some organizations. Thanks. -- View this message in context: http://www.nabble.com/Authentication-and-authorization-questions-tf4345698.html#a12380709 Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
